8.2.6. Setting Up Kerberos Authentication

In order to set up Kerberos authentication, you need to know the address of your key distribution center (KDC) and the Kerberos domain. The client configuration is then stored in the /etc/sssd/sssd.conf file.

The Kerberos 5 authentication back end does not contain an identity provider and must be paired with one in order to function properly (for example, id_provider = ldap). Some information required by the Kerberos 5 authentication back end must be supplied by the identity provider, such as the user's Kerberos Principal Name (UPN). The identity provider configuration should contain an entry to specify this UPN. Refer to the manual page for the applicable identity provider for details on how to configure the UPN.

If the UPN is not available in the identity back end, SSSD will construct a UPN using the format username@krb5_realm.

SSSD assumes that the Kerberos KDC is also a Kerberos kadmin server. However, it is very common for production environments to have multiple, read-only replicas of the KDC, but only a single kadmin server (because password changes and similar procedures are comparatively rare). To manage this type of configuration, you can use the krb5_kpasswd option to specify where your password changing service is running, or if it is running on a non-default port. If the krb5_kpasswd option is not defined, SSSD tries to use the Kerberos KDC in order to change the password. Refer to the sssd-krb5(5) manual page for more information about this and all Kerberos configuration options.

This example describes the minimum options that must be configured when using Kerberos authentication. Refer to the sssd-krb5(5) manual page for a full description of all the options that apply to configuring Kerberos authentication.

DNS Service Discovery

The DNS service discovery feature allows the Kerberos 5 authentication back end to automatically find the appropriate DNS servers to connect to using a special DNS query. For more information on the DNS service discovery feature, refer to 「Using SRV Records with Failover」.

8.2.6.1. Setting up SASL/GSSAPI Authentication

GSSAPI (Generic Security Services Application Programming Interface) is a supported SASL (Simple Authentication and Security Layer) authentication method. Kerberos is currently the only commonly used GSSAPI implementation. An LDAP client and an LDAP server use SASL to take advantage of GSSAPI as the authentication method (an alternative to plain text passwords, etc.). The GSSAPI plug-in for SASL is then invoked on the client and server side to use Kerberos to communicate.

Using GSSAPI protected communication for LDAP is an advanced configuration not supported by the Authentication Configuration tool; the following steps show how to manually configure it.

Setting up the SASL/GSSAPI authentication on Fedora 6.0

The following setup works correctly on all Fedora 6.1 systems and any systems released after it. However, when using Fedora 6.0, you must correctly configure the default_realm option in the [libdefaults] section and kdc option for your realm in the [realms] section in the /etc/krb5.conf configuration file not only on the directory server and the KDC but also on the client running SSSD. For more information on various /etc/krb5.conf options, refer to man krb5.conf

On the KDC

Using kadmin, set up a Kerberos service principal for the directory server. Use the -randkey option for the kadmin's addprinc command to create the principal and assign it a random key:

kadmin: addprinc -randkey ldap/server.example.com

Use the ktadd command to write the service principal to a file:

kadmin: ktadd -k /root/ldap.keytab ldap/server.example.com

Using kadmin, set up a Kerberos host principal for the client running SSSD. Use the -randkey option for the kadmin's addprinc command to create the principal and assign it a random key:

kadmin: addprinc -randkey host/client.example.com

Use the ktadd command to write the host principal to a file:

kadmin: ktadd -k /root/client.keytab host/client.example.com

On the Directory Server

Complete the following steps for a directory server of your choice:

OpenLDAP

Copy the previously created /root/ldap.keytab file from the KDC to the /etc/openldap/ directory and name it ldap.keytab.

Make the /etc/openldap/ldap.keytab file read-writable for the ldap user and readable for the ldap group only.

Red Hat Directory Server

Copy the previously created /root/ldap.keytab file from the KDC to the /etc/dirsrv/ directory and name it ldap.keytab.

Uncomment the KRB5_KTNAME line in the /etc/sysconfig/dirsrv (or instance-specific) file, and set the keytab location for the KRB5_KTNAME variable. For example:

# In order to use SASL/GSSAPI the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
KRB5_KTNAME=/etc/dirsrv/ldap.keytab; export KRB5_KTNAME

On the Client

Copy the previously created /root/client.keytab file from the KDC to the /etc/ directory and name it krb5.keytab. If the /etc/krb5.keytab file exists already, use the ktutil utility to merge both files properly. For more information on the ktutil utility, refer to man ktutil.

Modify your /etc/sssd/sssd.conf file to include the following settings: